^ Rec'd PCMTO 0 2 DEC 2004 

'^BfriON PUBLISHED UNDER THE PATENT CO<^Ka1 



(12) INTERNATIONAL APPlS^STION PUBLISHED UNDER THE PATENT COCHrATION TREATY (PCT) 

(19) World Intellectual Property 
Organization 

International Bureau 

(43) International Publication Date (10) International Publication Number 

8 January 2004 (08.01.2004) PCT WO 2004/004199 Al 




mm 


ill 


iiiiiiiii 


iiiii 


lillllllllllllllOII 



(51) International Patent Classification 7 : H04L 9/32, 

9/08, H04Q 7/38 

(21) International Application Number: 

PCT/EP2O02/0O7076 

(22) International Filing Date: 26 June 2002 (26.06.2002) 

(25) Filing Language: English 

(26) Publication Language: English 

(71) Applicant (for all designated States except US): TELE- 
FONAKTDEBOLAGET LM ERICSSON (publ) 

[SE/SE]; S-126 25 Stockholm (SE). 

(72) Inventor; and 

(75) Inventor/Applicant (for US only): HOWARD, Joe 
[IE/IE]; 158 Brandon Road, Drimnagh, Dublin 12 (IE). 

(74) Agents: HOFFMANN,EITLE et al.; Arabellastrasse 4, 
81925 Munchen (DE). 

(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU, 



CZ, DE, DK, DM, DZ, EC, EE, ES, FI, GB, GD, GE, GH, 
GM, HR, HU, ID, IL, IN, IS, JP, KE, KG, KP, KR, KZ, LC, 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, 
MX, MZ, NO, NZ, OM, PH, PL, PT, RO, RU, SD, SE, SG, 
SI, SK, SL, TJ, TM, TN, TR, TT, TZ, UA, UG, US, UZ, 
VN, YU, ZA, ZM, ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), 
Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), 
European patent (AT, BE, CH, CY, DE, DK, ES, FI, FR, 
GB, GR, IE, IT, LU, MC, NL, PT, SE, TR), OAPI patent 
(BF, BJ, CF, CG, CI, CM, GA, GN, GQ, GW, ML, MR, 
NE, SN, TD, TG). 

Declaration under Rule 4.17: 

— as to applicant's entitlement to apply for and be granted 
a patent (Rule 4.17(H)) for the following designations AE, 
AG, AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, BZ, CA, 
CH, CN, CO, CR, CU, CZ, DE, DK, DM, DZ, EC, EE, ES, 
FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP, KE, 
KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA, MD, MG, 
MK, MN, MW, MX, MZ, NO, NZ, OM, PH, PL, PT, RO, RU, 
SD, SE, SG, SI, SK, SL, TJ, TM, TN, TR, TT, TZ, UA, UG, 
UZ, VN, YU, ZA, ZM, ZW, ARIPO patent (GH, GM, KE, LS, 

[ Continued on next page) 



(54) Title: METHOD OF CONTROLLING A NETWORK ENTITY AND A MOBILE STATION 



New message received 
from network 



S31 




S33 



S34 



Interrupt ongoing message 
exchange procedure 



Initiate encryption key 
generation procedure 







No 






S35 

r 


Continue ongoing message 
exchange procedure 







(57) Abstract: A method of controlling a network entity 
(4, 5) of a mobile communication network and a mobile 
station (1) is described, as well as a corresponding mobile 
station and network entity. The network entity (4, 5) and 
the mobile station ( 1) are arranged to conduct a plurality of 
predetermined message exchange procedures in the course 
of which predetermined messages are exchanged between 
said network entity (4, 5) and said mobile station (1) de- 
pending on the given procedure. The predetermined mes- 
sages may be encrypted, an encrypted message being any 
message of which at least a part is encrypted. The network 
entity (4, 5) and the mobile station (1) are furthermore ar- 
ranged to conduct one or more encryption key generation 
procedures in parallel during which the network entity (4, 
5) and the mobile station (1) generate and store respective 
corresponding encryption keys, in order to be able to en- 
crypt and decrypt exchanged messages. The method com- 
prises a step of determining (S21) whether a received mes- 
sage from the mobile station is encrypted. If the received 
message is encrypted, it is determined (S22) whether a cor- 
rect encryption key for decrypting said message is avail- 
able to said network entity (4, 5), and if no correct key 
is available, a predetermined triggering message is sent to 
said mobile station (1). The mobile station (1) then inter- 
rupts (S33) the procedure in the course of which it sent the 
encrypted message for which the network entity (4, 5) did 
not have a correct key, and initiates (S34) an encryption 



tion procedure. 
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Method of controlling a network entity and a mobile station 

5 [Field of the invention] 

The present invention relates to a method of controlling a 
network entity of a mobile communication network and a mobile 
station arranged to communicate with the mobile communication 
10 network, and to a network entity and mobile station capable 
of performing the method. 

[Background of the invention] 

15, It is known to use encryption in mobile communication 
systems- In other words, in order to enhance security, 
messages exchanged over the air- interface between a mobile 
station and a network entity of a mobile communication 
network are encrypted, such that the sending side uses an 

2 0 encryption key and the receiving side requires an appropriate 
key for decrypting the message and thereby discerning the 
message content. It should be noted that the present 
specification and claims shall use the term "key" or 
"encryption key" with respect to keys used both for 

25 encryption and decryption. It should also be noted that the 
term "network entity" shall be used for any network element 
or combination of network elements that fulfils a given 
function, such as the function of handling message exchanges 
.with a mobile station. As such, a network entity can be 

30 provided by hardware, software or any combination of hardware 
and software, and can be implemented in one node of a mobile 
communication network, or spread out over several nodes. 

In order to provide both the mobile station and the network 
35 entity with appropriate corresponding encryption keys, with 
which each respective element can decrypt messages received 
from the other, it is possible to generate one encryption key 
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in one element, store it in that element, and then transmit 
it to the other element. However, this is highly 
disadvantageous, as it is possible that the encryption key 
sent over the air-interface is intercepted. Consequently it 
5 is preferred to implement respective and corresponding 
encryption key generation procedures in both the network 
entity and the mobile station," where corresponding encryption 
keys (which may be identical, or different from one another, 
depending on the encrypting scheme used) are respectively 

10 generated in parallel, such that the mobile station and the 
network entity can each on their own have corresponding or 
matching encryption keys. The correspondence between the 
encryption keys is ensured by using corresponding algorithms 
in the mobile station and network entity. This is well known 

15 and need not be described in more detail. 

Furthermore, it is known to start the encryption key 
generation on the two respective sides using a common seed 
value, e.g. a regularly changed random or pseudo-random value 
20 broadcast by the mobile communication network to all network 
entities and listening mobile stations. 

The generation of encryption keys is commonly performed at 
predetermined instances, for example when the mobile station 

25 registers with the mobile communication network. Usually the 
encryption keys are only generated at certain types of 
registrations, such as power-on, the transition from one 
switching entity (e.g. a mobile switching center MSC) to 
another, or forced registration, in which the network 

30 commands the mobile station to perform a registration. 

The communication between a mobile station and a network 
entity is commonly arranged such that it will use a plurality 
of message exchange procedures in. the course of which 
35 predetermined messages are exchanged between the network 
entity and the mobile station, the type and number of 
exchanged messages depending on the given message exchange 
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procedure. Examples of message exchange procedures are a 
registration procedure, a link set-up procedure, a link 
configuration procedure, a call set-up procedure etc. For 
example, if the mobile station wishes to originate a call/ it 
5 will send a predetermined call origination request to the 
network entity, and will then wait for a certain type of 
response message. In other words, the mobile station will 
wait until a precise and expected type of response from among 
a limited number of possible responses, e.g. one that 

10 confirms the receipt of the origination request, or one that 
provides call establishment information, etc. Messages not 
belonging to the limited group of expected responses will be 
ignored and the entity will continue to wait for an expected 
message. Usually, a time-out feature will also be 

15 implemented, according to which the mobile station only waits 
for a predetermined time-out period. After the time-out 
period expires, the mobile station can e.g. repeat the 
request, or also enter an idle mode and indicate a 
corresponding failure to the user of the mobile station, e.g. 

20 a call establishment failure in the above mentioned example 
of initially sending a call set-up request . 

The message exchange procedures can be such that some or all 
exchanged messages in a given procedure are encrypted. It may 

25 be noted that the term "encrypted message" refers to any 

message of which at least a part is encrypted. For example, 
an encrypted message can be a message that contains a (first) 
unencrypted part and a (second) encrypted or encryptable 
part. As an example, a message could be contained in one or 

3 0 more packets, each having a header and a payload section, 

where the header is not' encrypted and the payload section is. 

An example of rules governing the use of encryption in the 
communication between a mobile station and the network entity 
35 of a mobile communication network is provided by standard 
TIA/EIA-136 published by the Telecommunication Industry 
Association. In TIA/EIA-136 a mode called enhanced privacy 
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and encryption (EPE) is provided, which is an authentication- 
related capability that adds confidentiality to signals 
transmitted over a time division multiple access (TDMA) 
digital channel between a base station of a mobile 
5 communication network and a mobile station. The encryption, 
if supported by the network entity and the mobile station, is 
mandatory and is automatically activated, pending hand 
shaking procedures between the mobile station and base 
station. 

10 

TIA/EIA-13 6 specifies that with EPE encryption is 
automatically activated after authentication is complete if 
both the mobile station and the system support the feature. 
TIA/EIA-13 6 further specifies that support for EPE is 
15 mandatory for mobile stations that adhere to protocol version 
4, but mobile stations that adhere to lower protocol versions 
may also support EPE. 

The type of encryption applied together with the type of data 

20 encrypted, is controlled and authorized by means of 

encryption domains. Encryption domains define the level and 
type of encryption desired, the manner in which the 
encryption shall be applied and the data eligible for 
encryption. The encryption domain identifies portion of 

25 FACCH/SACCH (Fast Associated Control Channel/Slow Associated 
Control Channel) messages on digital or analogue channels 
that are subject to encryption, together with the encryption 
algorithm to be applied. Previously, for the introduction of 
EPE, a single encryption domain had been defined, namely, 

30 Domain-A. This allowed the encryption of a portion of the 
messages on the FACCH/SACCH together with the payload 
(circuit-switched speech or data) on a digital traffic 
channel and a portion of the messages on the analogue voice 
channel. This information, defined by the Domain-A encryption 

35 domain, is eligible for encryption by the Domain-A encryption 
algorithms only. The encryption of payload (circuit-switched 
speech or data) by a Domain-A encryption is commonly known as 
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voice privacy or the encryption of layer 3 messages by a 
Domain-A encryption is commonly known as Domain-A message 
encryption. 

5 EPE introduces a new encryption domain, namely Domain-B. The 
Domain-B encryption domain again defines a portion of the 
messages' on the FACCH/SACCH digital traffic channel, a 
portion of messages on the digital control channel together 
with payload (circuit -switched speech or data) . This 
10 information, defined by the Ddmain-B encryption domain is 
eligible for encryption by Domain-B encryption algorithm. 

A single encryption algorithm known as Scema is introduced as 
the domain-B encryption algorithm, producing encryption keys 
15 for the encryption of both circuit-switched speech/data on a 
digital traffic channel and Layer3 messages (both on digital 
traffic and digital control channels) , as defined by TIA/EIA- 



136. 



20 The Domain-B encryption applies to the following: 



Domain-B message encryption for user signalling on the 
digital control channel. The DCCH- encrypt ion key (DCCH = 



25 



Digital Control Channel) , generated in both the mobile 
station and the network entity, is applied to specific 
Layer3 TIA/EIA-136 DCCH messages. 



30 



Domain-B message encryption for user signalling on the 
digital traffic channel. The DTC- encrypt ion key, 
generated in both the mobile station and the network 
entity is applied to specific Layer3 TIA/EIA-136 DTC- 



messages . 



35 



Domain-B encryption on the digital traffic channel for 
both circuit-switched voice and data. The DTC -encrypt ion 
key generated in both the mobile station and the network 
entity is applied to circuit-switched voice and data. 
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EPE on the DCCH is activated at registration. Both the mobile 
station and system generate the Domain-B encryption keys, 
based on among other information, the currently available 
value of a parameter called RAND (a random variable which is 
broadcast on the control channel) and other information. The 
generation of the keys is performed on both the mobile 
station side and the network side in parallel. This ensures 
that the encryption keys are "synchronized", where 
"synchronized" means that the " keys on either side are in 
correct correspondence to one another, such that each side 
can decrypt the messages encrypted by the other side. The 
generated encryption keys are stored in both the mobile 
station and the network. 

The encryption keys are only generated at certain types of 
registration, including power-on, transition to a new 
switching entity (MSC) , and forced registration, where the 
network entity informs the mobile station whether EPE should 
be activated via the registration accept message. 

Once activated, the mobile shall encrypt a portion of RACH 
messages (RACH = Random Access Channel) with the generated 
encryption key. Layer3 messages subject to Domain-B 
25 encryption on the reverse digital control channel are: 
Origination, Page Response, R-data and Serial Number. 

Layer3 messages subject to Domain-B encryption on the forward 
digital control channel are: Analogue Voice Channel 
30 Designation, Digital Traffic Channel Designation, Message 
Waiting-, Page, R-data, Registration Accept and User Alert 
messages . 

On reception of a message on the RACH from a mobile station 
35 camped on a DCCH, the network entity will determine whether a 
message is encrypted or not with Domain-B encryption, by 
using the message encryption indicator field of the Layer 2 
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extension header. If the message is not encrypted, then 
processing of the message will occur as implemented in the 
given system. If the encryption indicator field indicates 
that a message is encrypted with Domain-B encryption, the 
5 Domain-B DCCH- encrypt ion key shall be retrieved from its 

storage location, e.g. a visitor location register VLR, where 
the encryption is stored together with other information 
related to the subscriber using the mobile station that is in 
communication with the network entity. Once the Domain-B 
10 DCCH- encrypt ion key is available, the message shall be 
decrypted and processing of the message is completed as 
implemented in the network. 

The terms Layer 3 and Layer 2 used above refer to different 
15 levels specified by TIA/EIA-136, and are not to be understood 
as layers within the meaning of the OSI model . 

[Object of the invention] 

2 0 The object of the invention is to improve the operation of a 

network entity of a mobile communication network and a mobile 
station that are able to exchange encrypted messages, and 
which both are arranged to conduct respective encryption key 
generation procedures in parallel . 

25 

[Summary of the invention] 

This object is solved by the method of claim 1, the mobile 
station of claim 8 and the network entity of claim 10. 

3 0 Advantageous embodiments are described in the dependent 

claims. - In accordance with the present invention, the network 
entity and mobile station are arranged to operate such that 
if the network entity receives a message from the mobile 
station, it determines whether the received message is 
35 encrypted, and if the received message is encrypted, it 

determines whether a correct encryption key for decrypting 
the message is available to the network entity. In other 
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words, it is determined whether any encryption key is 
available, and if one is available, it is determined whether 
this key is the correct one, which can be recognised by 
analysing the decryption result. In other words, if the 
decryption is not successful, then the used key is evidently 
not correct . 

The network entity is furthermore arranged such that if no 
correct key is available, then a predetermined triggering 
message is sent to the mobile 'station. The mobile station is' 
arranged such that upon receiving the predetermined 
triggering message, it interrupts the message exchange 
procedure currently active, i.e. the procedure in the course 
of which it sent the encrypted message for which the network 
entity did not have a correct key, and initiates an 
encryption key generation procedure. Through the parallel 
encryption key generation procedures, the mobile station and 
network entity in parallel generate matching or corresponding 
encryption keys and are thereby again "synchronized" with 
respect to encryption, i.e. both have the correct encryption 
key for decryption encrypted messages sent by the other side. 

The specific advantage of the present invention lies in the 
fact that the mobile station does not wait until the ongoing 
message exchange procedure comes to an end by itself, e.g. by 
a time-out. Namely, it has been recognised by the inventor of 
the present invention that under conventional circumstances, 
if for any reason the network entity can not obtain a correct 
encryption key for decrypting an encrypted message received 
from the mobile station, the network entity can not respond 
appropriately, such that the mobile station will continue the 
ongoing message exchange procedure that sent the encrypted 
message, i.e. would wait for the expected response to the 
encrypted message, which expected. response, however, can not 
be provided by the network entity, as it can not decrypt the 
message. During this time of continuing the ongoing message 
exchange procedure, i.e. waiting, a conventional mobile 



WO 2004/004199 £| ^^I7EP2002/007076 



station will disregard any other communications or messages 
from the network entity, even a message indicating that the 
mobile station should re-register. Such a re-registration 
will only occur when the conventional mobile station has 
5 returned to the idle mode after having finally abandoned the 
message exchange procedure. The time until the conventional 
mobile station abandons the message exchange procedure can 
last very long, as it does not only include the time-out 
period, because it is also possible that after a first expiry 

10 of the time-out period, the mobile station will reinitiate 
the message exchange procedure using encrypted messages, to 
which the network entity can not respond, such that several 
time-out periods may pass before the conventional mobile 
station will enter an idle mode, in which it can re-register 

15 and thereby perform an encryption key generation procedure in 
parallel with the network entity. 

Such a disadvantage is completely obviated by the teaching of 
the present invention. Namely, if the network entity is 

20 unable to decrypt a received encrypted message, it sends a 
triggering message to the mobile station, whereupon the 
mobile station interrupts the ongoing message exchange 
procedure, i.e. does not wait until a time-out occurs, in 
order to immediately initiate an encryption key generation 

25 procedure in parallel with the network entity. Thereby, an 
unnecessary loss of time for performing encryption key 
generation procedures in the network entity and mobile 
station is avoided. 

30 Preferably, the messages are arranged such that they have a 
first part and a second' part, where the first part is an 
unencrypted part that is not allowed to be encrypted (i.e. 
always unencrypted) and a second part that is encryptable. 
Then, the unencrypted part may contain an encryption 

35 indication of whether the second part is encrypted or not, 
and the step of determining whether a received message is 
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encrypted is performed by analysing the encryption 
indication. 

According to another preferred embodiment, when the messages 
5 are arranged such that the first part contains a message type 
identifier identifying the type of the message (e.g. link 
set-up request, call set-up request, etc.), the network 
entity is arranged to identify the message type of the 
received message from the message type identifier, and to 

10 determine whether the identified message type belongs to a 
predetermined category, and to only send the triggering 
message to the mobile station if the message type falls into 
the predetermined category. For example, the predetermined 
category can be that the received message is a set-up 

15 request. Then, the triggering message will only be sent if 
the received encrypted message for which no correct 
encryption keys available, is a set-up message. According to 
another preferred embodiment, the encryption key generation 
procedures used in the network entity and the mobile station 

20 comprise obtaining an encryption base value, such as the seed 
value mentioned in the introduction, for generating 
corresponding encryption keys based thereon. Preferably, the 
encryption base value is a regularly changed value that is 
broadcast by the network to listening mobile stations, such 

2 5 as the above mentioned random or pseudo-random value RAND. 

According to another preferred embodiment, the encryption key 
generation procedure is conducted as a part of a registration 
procedure for the mobile station with the network entity. In 

30 other words, the initiation of the encryption key generation 
procedure .comprises initiating a registration or re- 
registration procedure of the mobile station with the mobile 
communication network to which the network entity belongs, in 
the course of which parallel encryption key generation 

35 procedures are conducted in the network entity and the mobile 
station. 
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[Brief description of drawings] 

Further aspects and advantages of the present invention shall 
become apparent from the study of the following detailed 
description of preferred embodiments of the invention, which 
are given as examples and are not intended to be limiting, 
where the description makes reference to the attached 
drawings in which: 

Fig. 1 shows a schematic representation of a mobile 

station of an embodiment of the present invention; 

Fig, 2 shows a flowchart of a procedure conducted in a 

network entity in accordance with an embodiment of 
the present invention; 

Fig. 3 shows a flowchart of a routine conducted in a 

mobile station according to an embodiment of the 
present invention; 

Fig. 4 shows a schematic representation of a mobile 
station and a network entity according to an 
embodiment of the present invention; and 

Fig. 5 shows a schematic representation of a message 

containing a first unencrypted part and a second 
encryptable part. 

[Detailed description of embodiments] 

Fig. 1 shows a schematic block diagram of a mobile station 1 
arranged to operate according to the present invention. Fig. 
1 shows an antenna 11, a transmitting and receiving part 12, 
and a signal processing section 13. The signal processing 
section 13 comprises a processor 132 and a memory 131. The 
processor 132 is indicated as comprising an encryption key 
generator 1321, a message encryptor/decryptor 1322 and a 
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15 
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25 



30 



controller 1323 for controlling the operation of the mobile 
station. It may be noted that the mobile station will 
generally contain further conventional features, such as a 
microphone, loudspeaker, display, keyboard and other well 
known elements, which are not shown, as they have no 
relevance for the present description. 

The encryption key generator 1321, message 
encryptor/decryptor 1322 and controller 1323 are shown as 
being software components executed by the processor 132. 
However, it may be noted that they could also be provided as 
separate hardware components, or as any suitable combination 
of hardware and software. 

The encryption key memory 131 can be provided in any suitable 
or desirable way, e.g. as a RAM. The signal processing 
section 13 can comprise further memory elements, such as ROMs 
for storing software and other information, where such 
additional memory elements are not shown for simplicity. 

According to the embodiment shown in Fig. 1, the encryption 
key generator 1321 serves to generate an encryption key, 
which is then stored in the encryption key memory 131. The 
message encryptor/decryptor 132 2 encrypts messages sent to 
the mobile communication network by the mobile station 1, and 
decrypts messages received from the mobile communication 
network, by using one or more stored encryption keys. The 
contact with the mobile communication network is established 
by the transceiver 12 and antenna 11, as is well known, such 
that a further description is not necessary here. 

According to the embodiment of Fig. 1, the controller 1323 is 
arranged to control the operation of the mobile station 1, 
and is specifically arranged to perform one or more 
predetermined message exchange procedures with the mobile 
communication network, such as a link set-up, call set-up, 
etc. In the course of such message exchange procedures, the 
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mobile station sends predetermined types of messages (such as 
a call set-up request) and waits for predetermined 
corresponding types of response messages from the 
communication network (such as a call set-up 
5 acknowledgement) . Furthermore, the controller 1323 is 
arranged to identify the receipt of a predetermined 
unencrypted triggering message from the mobile communication 
network during the course of an ongoing message exchange 
procedure, and is arranged to interrupt the ongoing message 
10 exchange procedure in response to receiving the predetermined 
unencrypted triggering message, and to then initiate an 
encryption key generation procedure. 

This can also be seen in the flow chart of Fig. 3, which 
15 shows a part of a routine executed by the controller 1323. In 
step S31, the receipt of a new message from the mobile 
communication network is detected. Subsequently, in step S32 
it is determined whether the received message is of a 
predetermined type and is a triggering message. If it is a 
20 triggering message, then the procedure goes to step S33, in 
which the ongoing message exchange procedure is interrupted, 
and whereupon step S34 is conducted, in order to initiate an 
encryption key generator procedure, e.g. as a part of a 
registration or re-registration procedure of the mobile 
2 5 station with the mobile communication network. On the other 
hand, if step S32 determines that the received is not the 
predetermined triggering message, then the procedure branches 
to step S3 5, in which the ongoing message exchange procedure 
is continued. 

30 

Fig. 4 shows a schematic representation of a network entity 
and a mobile station 1. In the example of Fig. 4, the network 
entity consists of a base station part 4 and a traffic 
control part 5, where said base station part 4 comprises a 
35 base transceiver station (BTS) 41 and a base station 

controller (BSC) 42. The traffic control unit 5 comprises a 
mobile switching network (MSC) 51 and a data base 52, which 
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comprises a home location register (HLR) and visitor location 
register (VLR) . The network entity thereby has the structure 
known from GSM, such that a further description is not 
necessary here. It may be noted that the base station 
controller 42 may be connected to a plurality of base 
transceiver stations, and that the mobile switching center 51 
may be connected to a plurality of base station parts (i.e. a 
plurality of base station controllers) . Also, the mobile 
switching center 51 is typically connected to further network 
entities, such as gateways to 'other networks, which is well 
known in the art and not shown in Fig. 4 for simplicity. 

According to the embodiment of Fig. 4, the network entity 
provided by base station part 4 and traffic control part 5 
comprises an encryption key generator 511 located in the 
mobile switching center 51, where the data base 52 acts as an 
encryption key memory for storing encryption keys generated 
by the encryption key generator 511. Furthermore, a message 
encryptor/decryptor 421 is provided in the base station 
controller 42 for encrypting messages sent to the mobile 
station 1 and decrypting messages received from the mobile 
station 1 using an encryption key stored in the database 52. 
It may be noted that the generated encryption keys are 
preferably stored in the VLR part of the database 52, in 
association with other data belonging to the subscriber using 
the mobile station 1. 

The mobile switching center acts as a controller for 
controlling the communication between the network entity 4, 5 
and the mobile station 1, where the MSC 51 is arranged to 
determine whether messages received from the mobile station 1 
are encrypted or not, and if a received message is encrypted, 
determining whether a correct key for decrypting the message 
is available or not. If no correct key is available, then a 
predetermined unencrypted triggering message is sent to the 
mobile station 1, for triggering an immediate encryption key 
generation procedure in the mobile station 1, as explained 
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previously with respect to Figs. 1 and 3. An example of a 
routine executed by controller 51 is shown in the flow chart 
of Fig. 2. In step S21 it is determined whether a message 
received from the mobile station 1 is encrypted or not. Step 
5 S21 can be implemented in a variety of ways. For example, it 
is possible that the mobile station 1 sends un unencrypted 
indication signal to the network entity, said unencrypted 
indication signal informing the network entity that all 
subsequent messages sent by the mobile station are encrypted. 

10 In this case, step S21 simply 'consists in determining that 
the message is such a subsequent message. Preferably, the 
message structure is as shown in the example of Fig. 5, 
namely a message 6 consists of a first part 61, which is not 
allowed to be encrypted, and a second part 62, which is 

15 encryptable. The unencryptable part 61 preferably contains a 
message type identifier 610 that identifies the type of the 
message (e.g. as a call set-up request), and an encryption 
indication 611 that indicates whether the encryptable part 62 
is in fact encrypted or not. As such, the encryption 

20 indication 611 can be a single bit, where one bit value 
indicates encryption and the other lack of encryption. 
Naturally, the encryption indication 611 can also be more 
complicated and contain further information. 

25 In this case, step S21 in Fig. 2 consists in examining or 
analysing the encryption indication 611. If the message is 
encrypted, step S22 determines whether a correct key is 
available. For example, this can consist in determining 
whether any key is available in the database 52 for the 

3 0 mobile station 1 (the subscriber using mobile station 1) , and 
if not,- then this already indicates that no correct key is 
available. However, it is also possible that a key is 
available, but that a decryption attempt for the received- 
message leads to the conclusion that the key is not correct, 

35 as it does not lead to a successful decryption. 
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There are several reasons why a correct encryption key may 
not be available for decrypting the received message. For. 
example, if the encryption keys are stored in the VLR in 
association with other subscriber data, it is possible that 
5 they are deleted in the course of regular " re -cycling" 
operations conducted by the operator of the networks, in 
which subscriber records are deleted if the corresponding 
mobile station has not registered with the network within an 
operator-defined period of time. It is possible that an 

10 active mobile station has disabled the periodic registration- 
function, or that it has "missed 11 a registration due to 
temporary communication problems. If the subscriber record 
has been re-cycled, then the encryption key is lost, and if 
the mobile station then proceeds to send an encrypted 

15 message, e.g. a call set-up request, then the network entity 
can not decrypt the message and respond accordingly. 

Returning to Fig. 2, if the outcome of step S22 indicates 
that no correct key is available, then a procedure S23 is 

2 0 initiated, in which a predetermined unencrypted triggering 

message is sent to the mobile station, which makes the mobile 
station conduct an immediate encryption key generation 
procedure. In the course of this encryption key generation 
procedure, e.g. a registration or re-registration, the 

25 network entity also performs an encryption key generation 
procedure in parallel, such that matching or corresponding 
encryption keys are available both in the mobile station and 
the network entity, and encrypted messages can again be 
exchanged without any problems. 

30 

In the example of Fig. 4, the message encryptor/decryptor 421 
and the encryption key generator 511 are shown as software 
routines implemented in the base station controller 42 and 
mobile switching center, respectively. However, it may be 
35 noted that the encryption key generator 511 and the message 
encryptor/decryptor 421 can also be provided as separate 
hardware elements or as any suitable combination of hardware 
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and software. Moreover, the structure of the example of Fig. 
4 is only an example, and the functional elements can also be 
provided otherwise, e.g. spread out over all of the shown 
nodes or provided in other nodes. Moreover, the database 52 
associated with the mobile switching center 51 can be used as 
an encryption key memory, but an encryption key memory can 
also be provided in association with any other element shown 
in Fig. 4. Furthermore, although the example of Fig. 4 is 
related to GSM, the concept of the present invention is not 
restricted to GSM mobile communication networks, but can be 
used in the context of any mobile communication system in 
which encrypted messages are used, and in which encryption 
key generation procedures are implemented on the mobile 
station side and the network side. 

Now a preferred embodiment of the present invention shall be 
explained in the context of the standard TIA/EIA-136 
discussed in the introduction to the application. It may be 
noted that the discussion of TIA/EIA-136 in the introduction 
is herewith incorporated into the disclosure of the 
invention. 

On reception of an encrypted RACH message from the mobile 
station, the network entity will be able to determine that 
the message is encrypted via the Layer2 header information 
(as e.g. shown in Fig. 5) . If the Bomain-B DCCH-encryption 
key is not available and the network entity is unable to 
decrypt the message, it can use a message indicator (such as 
the indication 610 shown in Fig. 5) to determine what message 
the mobile has sent as the message type is not encrypted. 

As one possibility, the network entity can reject the service 
requested by the message, regardless of the message type, and 
send an unencrypted layer 3 message to the mobile station, 
stating that the reason for rejection is a "system- related 
cryptography mismatch". Preferably, the message indicating 
the system-related cryptography mismatch is only sent for 



WO 2004/004199 

18 

messages of a certain type. In other words, it is preferably 
analysed whether the message type of an encrypted message 
that is not decryptable belongs to a predetermined category 
(e.g. the category defined by all set-up messages), and the 
5 message indicating system-related cryptography mismatch is 
only sent if the received encrypted message belongs to the 
predetermined category. 
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More specifically, examples of received encrypted messages 

10 from the mobile station in response to which the network 
entity can send a message indicating system-related 
cryptography mismatch are the following Layer3 messages: 
Origination Message, Page Response Message and R-data 
Message. In response to the Origination Message, the network 

15 entity can build a Reorder/ Intercept message including the 
indication "system-related cryptography mismatch" in the 
Cause Extension Information Element . In response to the Page 
Response Message, the network entity can send a Release 
message, which also includes the "system-related cryptography 

20 mismatch" in the Cause Extension Information Element. 

Finally, in response to the R-data message, the network 
entity can send a Reorder/ Intercept message, also including 
the "system-related cryptography mismatch" in the Cause 
Extension Information Element. Alternatively, a R-data reject 

25 message can also be sent. 

On reception of one of the above described response messages, 
which are all examples of triggering messages, the mobile 
station is arranged to examine the received cause value (the 

3 0 Cause Extension Information Element) . If the reason is 

"system- related cryptography mismatch", the mobile station is 
arranged (programmed) to immediately interrupt the ongoing 
procedure (e.g. interrupt waiting for the appropriate 
response to the sent message) , and declaring a Forced 

35 Registration condition, in order to invoke a Registration 
procedure. In the Registration procedure, a parallel 
encryption key generation procedure is conducted in the 
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mobile station and the network entity. The registration 
procedure is e.g. specified in TIA/EIA-136-123 : TDMA third 
generation wireless digital control channel Layer3 . 

5 In order to implement the above described example in context 
of TIA/EIA-136, the appropriate specification may be updated 
as follows: The Cause Extension IE should be updated to 
contain the rejection reason "system-related cryptography 
mismatch 11 . The Waiting for Order State should be updated to 

10 allow the mobile station to declare a Forced Registration 

condition and invoke the Registration procedure on reception 
of a Release message, specifying the reason for rejection as 
"system-related cryptography mismatch". The Origination 
Proceeding State should be updated to allow the mobile 

15 station to declare a Forced Registration condition and invoke 
the Registration procedure on reception of a 

Reorder/Intercept message specifying the reason for rejection 
as "system-related cryptography mismatch". The Originated 
Point -to -Point Teleservice Proceeding should be updated to 
20 allow the mobile station to declare a Forced Registration 

condition and invoke the Registration procedure on reception 
of a Reorder/Intercept message, specifying the reason for 
rejection as "system-related cryptography mismatch". 
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Claims 

1. A method of controlling a network entity (4, 5) of a 
5 mobile communication network and a mobile station (1) , 

wherein said network entity (4, 5) and said mobile 
station (1) are arranged to conduct a plurality of 
predetermined message exchange procedures in the course 
of which predetermined messages are exchanged between 

10 said network entity (4, 5) and said mobile station (1) 

depending on the given procedure, where said 
predetermined messages may be encrypted, an encrypted 
message being any message of which at least a part is 
encrypted, and where said network entity (4, 5) and said 

15 mobile station (1) are arranged to conduct one or more 

encryption key generation procedures during which the 
network entity (4, 5) and the mobile station (1) 
generate and store respective corresponding encryption 
keys, in order to be able to encrypt and decrypt 

20 exchanged messages, where said method comprises the 

steps of: 

- if said network entity (4, 5) receives a message from 
said mobile station (1) , determining (S21) whether said 
received message is encrypted, 

25 - if the received message is encrypted, determining 

(S22) whether a correct encryption key for decrypting 
said message is available to said network entity (4, 5), 
and if no correct key is available, sending (S23) a 
predetermined triggering message to said mobile station 

30 (1), 

- upon receiving said predetermined triggering message, 
said mobile station (1) interrupting (S33) the procedure 
in the course of which it sent the encrypted message for 
which the network entity (4,-5) did not have a correct 

35 key, and initiating (S34) an encryption key generation 

procedure . 
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2. A method according to claim 1, wherein said messages are 
arranged such that they have a first part (61) and a 
second part (62) , said first part (61) being an 
unencrypted part that is not allowed to be encrypted, 

5 and said second part (62) being encryptable. 

3. A method according to claim 2, wherein said messages are 
arranged such that said first part (61) contains an 
encryption indication (611) of whether said second part 

10 (62) is encrypted or not/ and said determining of 

whether the second part (62) of said received message is 
encrypted or not is achieved by analysing said 
encryption indication (611) . 

15 4. A method according to claim 2 or 3 , wherein said 

messages are arranged such that said first part (61) 
contains a message type identifier (610) identifying the 
type of the message, and after having received a message 
from said mobile station (1) , said network entity (4, 5) 

2 0 identifies the message type of said received message 

from the message type identifier (610) and determines 
whether said identified message type belongs to a 
predetermined category, and sends said predetermined 
triggering message to said mobile station (1) only if 

25 the message type of said received message falls into 

said predetermined category. 

5. A method according to one of the preceding claims, 
wherein said one or more encryption key generation 

30 procedures comprise obtaining an encryption base value 

(RAND.) commonly available to said network entity (4, 5) 
and said mobile station (1) at the time of conducting 
said encryption key generation procedure, and generating 
corresponding encryption keys in said network entity (4, 

35 5) and said mobile station (1) on the basis of said 

encryption base value (RAND) . 
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6. A method according to claim 5, wherein said encryption 
base value (RAND) is a regularly changed value that is 
broadcast by said network to listening mobile station 
(Ds. 



7. A method according to one of the preceding claims, 
wherein said encryption key generation procedure is 
conducted as a part of a registration procedure of said 
mobile station (1) with said network entity (4, 5) . 

8. A mobile station (1) arranged to operate with a mobile 
communication network, comprising 

an encryption key generator (1321) for generating a 
encryption key, 

an encryption key memory (131) for storing a generated 
encryption key, 

a message encryptor/decryptor (1322) for encrypting 
messages sent to said mobile communication network and 
decrypting messages received from said mobile 
communication network using a stored encryption key, an 
encrypted message being any message of which at least a 
part is encrypted, 

a controller (1323) for controlling the operation of 
said mobile station (1), said controller being arranged 
to perform one or more predetermined message exchange 
procedures with said mobile communication network, in 
the course of which said mobile station (1) sends 
predetermined types of messages to said mobile 
communication network and waits for predetermined 
corresponding types of messages from said mobile 
communication network, said controller furthermore being 
arranged to identify the receipt of a predetermined 
triggering message from said mobile communication 
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9. 

10 

10. 

15 
20 
25 
30 



network during the course of an ongoing message exchange 



triggering message interrupting the ongoing message 
exchange procedure and initiating an encryption key 
generation procedure. 

A mobile station (1) according to claim 8, wherein said 
controller (1323) is arranged to conduct said encryption 
key generation procedure as a part of a registration 
procedure of said mobile station (1) with said mobile 
communication network. 

A network entity (4, 5) of a mobile communication 
network arranged to communicate with a mobile station 
(1) , comprising: 

an encryption key generator (511) for generating a 
encryption key, 

an encryption key memory (51) for storing a generated 
encryption key # 

a message encryptor/decryptor (421) for encrypting 
messages sent to said mobile station (1) and decrypting 
messages received from said mobile station (1) using a 
stored encryption key, an encrypted message being any 
message of which at least a part is encrypted, 

a controller (51) for controlling the communication 
between said network entity (4, 5) and said mobile 
station (1) , said controller (51) being arranged to 
determine whether messages received from said mobile 
station (1) are encrypted or not, and if a received 
message is encrypted, determining whether a correct key 
for decrypting said message is available to said network 
entity (4, 5), and if no correct key is available, 
sending a predetermined triggering message to said 



procedure, and in response to said predetermined 
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mobile station (1) for triggering an immediate 
encryption key generation procedure in said mobile 
station (1) . 
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